Summary Under the proposed Cloud and AI Development Act (CADA), public bodies possess a limited, conditional power to waive EU data residency requirements, but only for Union assurance levels 1, 2, and 3. The criteria in Annex II explicitly state that customer data must remain within the Union "unless the public sector body explicitly requires otherwise." However, this waiver mechanism is strictly prohibited for Union assurance level 4. For level 4, where data is identified as sensitive following a risk assessment, residency within the Union is absolute and non-negotiable, with no "unless" clause permitting a public body to override the requirement.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework comprising four assurance levels. A cornerstone of this framework is the requirement for data localisation, which serves to mitigate risks associated with third-country access and ensure operational autonomy. While the baseline rule across the framework is that data must remain within the Union, the text introduces a specific, conditional derogation for lower assurance levels that vanishes entirely at the highest tier.
The Conditional Waiver at Levels 1, 2, and 3
For cloud computing services seeking recognition at Union assurance levels 1, 2, and 3, the regulation establishes a default requirement for data residency but couples it with a specific exception clause. The criteria in Annex II mandate that customer dataβincluding metadata and telemetry dataβprocessed, stored, and transferred by the provider and its subcontractors must remain exclusively within the Union.
However, this requirement is not absolute for these three levels. The text explicitly includes a derogation that allows the contracting public authority to override the residency rule.
- Union Assurance Level 1: Under Annex II, Section 1.1(c), the criterion states that data must remain exclusively within the Union, "unless the public sector body explicitly requires otherwise and at any time, including before, during or after the configuration or use of the service."
- Union Assurance Level 2: Similarly, Annex II, Section 2.1(c) mandates that data remain exclusively within the Union, "unless the public sector body explicitly requires otherwise and at any time, including before, during or after the configuration or use of the service."
- Union Assurance Level 3: The same flexibility applies at Level 3. Annex II, Section 3.1(c) states that data must remain exclusively within the Union, "unless the public sector body explicitly requires otherwise and at any time, including before, during or after the configuration or use of the service."
This specific phrasing creates a conditional waiver. The restriction on data residency is a default compliance position that can be overridden, but only if the public sector body takes the active step of "explicitly requir[ing] otherwise." The phrase "at any time" indicates that this instruction can be dynamic, covering the entire lifecycle of the service, from initial configuration through to ongoing use. Crucially, the waiver is not a unilateral right of the provider to move data; it is a specific instruction from the customer that the provider must document to maintain compliance with the assurance level criteria.
The Absolute Bar at Union Assurance Level 4
The flexibility available at levels 1, 2, and 3 disappears entirely at Union assurance level 4. This level is designed for the most critical public order activities, involving high-sensitivity data and national security interests where the risk of third-country access or disruption is unacceptable.
Annex II, Section 4.1(c) stipulates that customer data, which is identified as sensitive following a risk assessment, "must remain exclusively within the Union and at any time, including before, during or after the configuration or use of the service."
Critically, this provision does not contain the "unless the public sector body explicitly requires otherwise" clause found in the lower levels. The absence of this derogation is deliberate. For services recognised at Level 4, a public body cannot waive data residency requirements. Even if a public authority explicitly instructs a provider to store sensitive data outside the Union, such an instruction would render the service non-compliant with the Level 4 criteria. Any cloud provider claiming Level 4 compliance must ensure that sensitive data never leaves EU territory, regardless of the public body's operational preferences or contractual negotiations.
The Role of Risk Assessments and Procurement
The ability to waive residency at levels 1β3 is intrinsically linked to the risk assessment obligations placed on Member States and Union entities under Article 29. Before procuring cloud services, public bodies must carry out risk assessments to determine which Union assurance level is appropriate for their activities.
Article 30 further clarifies procurement obligations:
- Public sector bodies whose activities are not identified as contributing to the preservation of public order must use services recognised at Union assurance level 1.
- Contracting authorities whose activities are identified as contributing to the preservation of public order (e.g., in national security, defence, justice, or law enforcement) must only procure services recognised at Union assurance levels 2, 3, or 4.
If a public body opts to waive data residency at Level 1, 2, or 3, it must ensure that this decision is consistent with its risk assessment. The waiver is a contractual or operational instruction, but it does not absolve the provider from meeting the other cumulative criteria of the respective assurance level, such as cybersecurity certification, personnel screening, and supply chain transparency. Furthermore, if a risk assessment determines that the data is sensitive enough to require Level 4 assurance, the waiver mechanism is legally unavailable, and the provider must ensure strict EU residency.
Operational Implications for Providers
For cloud providers, the "explicit requirement" language places the onus on clear contractual documentation. To maintain recognition at Levels 1β3 while hosting data outside the EU, the provider must have written evidence that the public sector body explicitly required this arrangement. Ambiguity in contracts could lead to a finding of non-compliance during audits by auditing organisations (as defined in Article 20) or investigations by national competent authorities.
Providers must also distinguish between general data and sensitive data. Even at Levels 1β3, if the risk assessment identifies certain data as sensitive enough to warrant higher protection, the public body's waiver must be explicit for those specific datasets. However, if the sensitivity triggers a requirement for Level 4 assurance, the waiver mechanism is unavailable, and the provider must ensure strict EU residency.
What this means for you
For in-house counsel and compliance officers, the distinction between Levels 1β3 and Level 4 is a binary switch for data residency waivers.
- Audit Your Current Contracts: If your organisation procures cloud services at Levels 1β3 and currently stores data outside the EU, ensure your contracts contain explicit clauses where the public body authorises this exception. Without this explicit requirement, you may be in breach of Annex II criteria.
- Risk Assessment Alignment: Before waiving residency, verify that your risk assessment under Article 29 supports the chosen assurance level. Waiving residency may increase risk exposure, potentially necessitating a higher assurance level or additional mitigation measures.
- Level 4 Compliance: For any system handling sensitive data classified under Level 4, implement technical controls to guarantee data never leaves the EU. No contractual waiver will satisfy the regulatory criteria.
- Documentation: Maintain records of all explicit requirements from public bodies regarding data location. These documents will be critical evidence during independent third-party audits required for Levels 2β4.
Common misconceptions
"Public bodies can always waive data residency if they want to." This is incorrect. Waivers are only permissible for Levels 1, 2, and 3. For Level 4, data residency is absolute and cannot be waived by the public body.
"The waiver applies to all data types equally." The waiver applies to customer data generally at lower levels, but providers must still adhere to other data protection laws, such as the GDPR. A waiver under CADA does not negate GDPR requirements for lawful cross-border transfers.
"Level 1 services don't need to worry about residency." Level 1 services must keep data in the EU unless the public body explicitly requires otherwise. The default is EU residency; the exception requires active, explicit instruction from the customer.
Official sources
Related
- CADA public sector body: definition, data residency powers & assurance tiers
- Can a public body require data outside the EU under CADA?
- Why would a public body require CADA Level 4 over Level 3?
- CADA Level 4: Sensitive Data Risk Assessment & Strict Residency Rules
- CADA Level 1 Data Residency: What the Proposal Requires
This is general information about a draft EU regulation, not legal advice.